|
Message-ID: <50DD1BBA.3000604@redhat.com> Date: Thu, 27 Dec 2012 21:10:34 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Moritz Muehlenhoff <jmm@...ian.org>, kk@...suke.org Subject: Re: CVE request: Jenkins -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adding Kohsuke Kawaguchi to the CC since he seems to be a Jenkins security related person. Also if you need CVE's for Jenkins (or any other major Open Source project your participate in, this goes for everyone) in future contact me and they can be assigned prior to advisory release which makes life easier for everyone. On 12/27/2012 01:31 PM, Moritz Muehlenhoff wrote: > Hi, these Jenkins security issues don't seem to have CVEs assigned > so far: > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 > > > I can't provide links to upstream fixes, but three CVE IDs seem > needed (HTTP response splitting, open redirect and XSS) > > Cheers, Moritz > Yup they appear to be new (the last batch I did is acknowledged in the earlier security advisory from Jenkins). From: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 The first vulnerability is commonly known as HTTP response splitting vulnerability, which can act as a cross-site scripting vulnerability. This allows an anonymous attacker to inject malicious HTMLs to pages served by Jenkins. This in turn allows an attacker to escalate his privileges by hijacking sessions of other users. To mount this attack, the attacker needs to know the exact URL of your Jenkins installation. This vulnerability affects those who run Jenkins on its built-in servlet container (this includes all the native packages.) Please use CVE-2012-6072 for this issue. The second vulnerability is so-called open redirect vulnerability. This allows an anonymous attacker to create an URL that looks as if it's pointing to Jenkins, yet it actually lands on the site that the attacker controls. This can be therefore used as a basis for phishing. Please use CVE-2012-6073 for this issue. The third vulnerability is a cross-site scripting vulnerability that allows an attacker with some degree of write access in Jenkins to embed malicious JavaScript into pages generated by Jenkins. Please use CVE-2012-6074 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ3Ru6AAoJEBYNRVNeJnmTgG0QALXvW0uvx4Iwl8eH4qPaWXms b9hvHXV+Gu4Ajp60kyXrFZ/YC3CXgXXvAMPzRf1MRwoqz/fIrUvAjAhQMLDkhWRJ ZGbdzrIr7Hb44+/e7hpLc9eFWpB+otSNhN5bTK+x3pKinHgSpGQPIHbQ5haB0NIS 3J5gDbSeRtYbId4IYfbF6ZmaMqUDzpTBT+gStV+0dXGY3dWjtRDG9G9nAAWiIn8x 7Z+xriRAYo5M03fuKowCQioXNsS790OtIM8tK0E4ZU4w5FyFsWt1o9361weOuxJx kYd8kxF5enAOEGCunGAGgUWo5ze+92TSPJJinSmBv8zNxi9gBf85FurWNh9ANS7T EHk2SiVdqjP55y4wDlMgSZ59dgHkgok6A3Z4xNIe34ygmPy6OsGHECf3HswEajMW 9fI3+9O7vJF5/hA+iF1Z5LJjNT0i5DEugTbkejnf2EzrfGkqs2GFWY0BzygAvf8H PNOkXsgYdMZkaK6EWYOeW2unENQ1+/eT+tpqwu2FvLkCHFDcBwXY1WpXztUnfilb 1C3HcKvF3q/yFuy8uaV0K/+R9iUJJRKVXw8mmuhzLt8vmoNWrec9BVxbKRlTgh4s 29IUAvrn6NOSnEjj+aP19QwDE9oUVAh0S+tj65C5V2Ft94EawlvYXHZK6cAeuXcw H1n2tqwhW2AzLggF8P4O =+kWZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.